git: fcd20d3181a7 - stable/13 - nfsd: Fix handling of credentials with cr_ngroups == 0

Wed, 23 Oct 2024 18:14:31 -0700 

The branch stable/13 has been updated by rmacklem:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=fcd20d3181a7df9ebbb8d333db594a210194959f

commit fcd20d3181a7df9ebbb8d333db594a210194959f
Author:     Rick Macklem <rmack...@freebsd.org>
AuthorDate: 2024-10-21 22:48:39 +0000
Commit:     Rick Macklem <rmack...@freebsd.org>
CommitDate: 2024-10-24 01:13:24 +0000

    nfsd: Fix handling of credentials with cr_ngroups == 0
    
    There has been a documented case in the exports(5) man
    page forever, which specifies that the -maproot or -mapall
    may have a single user entry, followed by a ':'.
    This case is defined as specifying no groups (aka cr_ngroups == 0).
    
    This patch fixes the NFS server so that it handles this case correctly.
    
    After MFC'ng this patch to stable/13 and stable/14, I propose that
    this unusual case be deprecated and no longer allowed in FreeBSD15.
    At that point, this patch can be reverted.
    
    (cherry picked from commit caa309c8811d62a24cd07e3a1f6e9095eaf10c90)
---
 sys/fs/nfsserver/nfs_nfsdsubs.c | 5 ++---
 sys/kern/kern_prot.c            | 7 +++++++
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/sys/fs/nfsserver/nfs_nfsdsubs.c b/sys/fs/nfsserver/nfs_nfsdsubs.c
index 0d7e4c73fe69..fa0222bbf3b2 100644
--- a/sys/fs/nfsserver/nfs_nfsdsubs.c
+++ b/sys/fs/nfsserver/nfs_nfsdsubs.c
@@ -1623,7 +1623,7 @@ nfsrv_checkuidgid(struct nfsrv_descript *nd, struct 
nfsvattr *nvap)
        if (nd->nd_cred->cr_uid == 0)
                goto out;
        if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid != nd->nd_cred->cr_uid) ||
-           (NFSVNO_ISSETGID(nvap) && nvap->na_gid != nd->nd_cred->cr_gid &&
+           (NFSVNO_ISSETGID(nvap) &&
            !groupmember(nvap->na_gid, nd->nd_cred)))
                error = NFSERR_PERM;
 
@@ -1682,8 +1682,7 @@ nfsrv_fixattr(struct nfsrv_descript *nd, vnode_t vp,
        }
        if (NFSISSET_ATTRBIT(attrbitp, NFSATTRBIT_OWNERGROUP) &&
            NFSVNO_ISSETGID(nvap)) {
-               if (nvap->na_gid == nd->nd_cred->cr_gid ||
-                   groupmember(nvap->na_gid, nd->nd_cred)) {
+               if (groupmember(nvap->na_gid, nd->nd_cred)) {
                        nd->nd_cred->cr_uid = 0;
                        nva.na_gid = nvap->na_gid;
                        change++;
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 5dea43971e3d..abe989045fb8 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1306,6 +1306,13 @@ int
 groupmember(gid_t gid, struct ucred *cred)
 {
 
+       /*
+        * The nfsd server can use a credential with zero groups in it
+        * when certain mapped export credentials are specified via exports(5).
+        */
+       if (cred->cr_ngroups == 0)
+               return (0);
+
        if (cred->cr_groups[0] == gid)
                return (1);

Reply via email to